package com.example.roledemo;

import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.access.prepost.PreFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.web.bind.annotation.*;

import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import java.util.ArrayList;
import java.util.List;

@RestController
public class HelloController {

    @GetMapping("/hello")
    public String hello(){
        return "你好 Spring Security";
    }

    @GetMapping("/cxyxj/hello")
    @RolesAllowed({"admin"})
    public String cxyxj() {
        return "cxyxj 你好 Spring Security";
    }


    @GetMapping("/security/hello")
    @RolesAllowed({"user"})
    public String user() {
        return "user 你好 Spring Security";
    }


    @GetMapping("/denyAll")
    @DenyAll
    public String denyAll() {
        return "denyAll 你好 Spring Security";
    }


    @GetMapping("/permitAll")
    @PermitAll
    public String permitAll() {
        SecurityContext context = SecurityContextHolder.getContext();
        Authentication authentication = context.getAuthentication();
        Object principal = authentication.getPrincipal();
        if("anonymousUser".equals(principal)){
            return "fef";
        }
        return "permitAll 你好 Spring Security";
    }

    @GetMapping("/secured")
    @Secured({"admin"})
    public String secured() {
        return "secured 你好 Spring Security";
    }




    // 只有角色为  admin 或者 user才能访问
    @PreAuthorize("hasRole('admin') or hasRole('user')")
    @GetMapping("/preAuthorize")
    public String preAuthorize(){
        return "PreAuthorize 你好 Spring Security";
    }

    //Id大于1才能查询
    @PreAuthorize("#id>1")
    @GetMapping("/findById/{id}")
    public Integer findById(@PathVariable("id") Integer id) {
      return id;
    }

    // 限制只能查询自己的信息
    @PreAuthorize("principal.username.equals(#username)")
    @GetMapping("/findByName/{username}")
    public String findByName(@PathVariable("username") String username) {
        return username;
    }
    //限制只能新增用户名称为abc的用户
    @PreAuthorize("#username.equals('abc')")
    @GetMapping("/add/{username}")
    public String add(@PathVariable("username") String username) {
        return username;
    }

    // 在方法find()调用完成后进行权限检查，如果返回值的id是偶数则表示校验通过，否则表示校验失败，将
    //抛出AccessDeniedException
    @PostAuthorize("returnObject.id%2==0")
    @GetMapping("/find/{id}")
    public SysUser find(@PathVariable("id") Integer id) {
        SysUser sysUser = new SysUser();
        sysUser.setId(id);
        User principal = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        sysUser.setUsername(principal.getUsername());
        return sysUser;
    }

    // id 大于 1 的才进行查询
    @PreFilter("filterObject > 1")
    @PostMapping("/find")
    public List<Integer> batchGetInfo(@RequestParam("ids") ArrayList<Integer> ids) {
        return ids;
    }

    // id 大于 1 的才进行查询
    @PreFilter(filterTarget = "ids",value = "filterObject > 1")
    @PostMapping("/batchGetInfo")
    public List<Integer> batchGetInfo(@RequestParam("ids") ArrayList<Integer> ids,@RequestParam("ids2")ArrayList<Integer> ids2) {
        return ids;
    }

    // 将结果集为偶数的值进行返回
    @PostFilter("filterObject % 2 == 0")
    @GetMapping("/findAll")
    public List<Integer> findAll() {
        List<Integer> userList = new ArrayList<>();
        for (int i=0; i<10; i++) {
            userList.add(i);
        }
        return userList;
    }

}
